CVE-2026-0863
published 2026-01-18CVE-2026-0863: Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python…
PriorityP271critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
8.50%
94.4th percentile
Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system.
The vulnerability can be exploited via the Code block by an authenticated user with basic permissions and can lead to a full n8n instance takeover on instances operating under "Internal" execution mode.
If the instance is operating under the "External" execution mode (ex. n8n's official Docker image) - arbitrary code execution occurs inside a Sidecar container and not the main node, which significantly reduces the vulnerability impact.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| n8n | n8n | <= 1.123.14 | — |
| n8n | n8n | 2.0.0 – 2.3.5 | — |
| n8n | n8n | 2.4.0 – 2.4.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit vector is the n8n 'Code block' node — monitor for Python code submissions using format-string-based object introspection (e.g., '{0.__class__.__mro__}' style payloads) combined with AttributeError.obj access patterns, which are the two primitives used to escape the Python AST sandbox. ↗
- →Exploitation requires an authenticated user with at least basic (non-admin) permissions to create or modify a workflow — alert on workflow creation/modification events by low-privilege accounts on self-hosted n8n instances, especially those running in 'Internal' execution mode. ↗
- →Differentiate impact by execution mode: 'Internal' mode means RCE on the main n8n node (full instance takeover); 'External' mode (e.g., official Docker image) confines RCE to a Sidecar container. Identify which mode is in use to triage severity of any triggered alerts. ↗
- →Prioritize patching self-hosted n8n instances; n8n cloud is already patched. Vulnerable self-hosted versions are those prior to 1.123.14, 2.3.5, and 2.4.2 for CVE-2026-0863. ↗
- ·CVE-2026-0863 specifically requires Python 3.10+ on the host, as the exploit relies on the AttributeError.obj attribute introduced in Python 3.10. Instances running older Python versions may not be exploitable via this specific technique. ↗
- ·The python-task-executor sandbox uses multiple validation layers including deny lists and AST-based controls; the bypass is achieved through subtle language features (string formatting + exception handling), meaning generic AST/deny-list controls alone are insufficient to detect or block this class of attack. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
New sandbox escape flaw exposes n8n instances to RCE attacks
blogs_bleepingcomputer·2026-01-28·CVSS 8.5
CVE-2026-1470 [HIGH] New sandbox escape flaw exposes n8n instances to RCE attacks
## New sandbox escape flaw exposes n8n instances to RCE attacks
## Bill Toulas
Two vulnerabilities in the n8n workflow automation platform could allow attackers to fully compromise affected instances, access sensitive data, and execute arbitrary code on the underlying host.
Identified as CVE-2026-1470 and CVE-2026-0863 , the vulnerabilities were discovered and reported by researchers at DevSecOps company JFrog.
Despite requiring authentication, CVE-2026-1470 received a critical severity score of 9.9 out of 10. JFrog explained that the critical rating was due to arbitrary code execution occurring in n8n’s main node, which allows complete control over the n8n instance.
n8n is an open-source workflow automation platform that lets users link applications, APIs, and services into complex p
Wiz
CVE-2026-0863 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2026-0863 [HIGH] CVE-2026-0863 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0863 :
NixOS vulnerability analysis and mitigation
Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system.
The vulnerability can be exploited via the Code block by an authenticated user with basic permissions and can lead to a full n8n instance takeover on instances operating under "Internal" execution mode.
If the instance is operating under the "External" execution mode (ex. n8n's official Docker image) - arbitrary code execution occurs inside a Sidecar container and not the main node, which significantly reduces the vulnerability impact.
Source : NVD
## 9.9
Score
Published January 18, 2026
Severity CRITICAL
CNA Score 8.5
A
https://github.com/n8n-io/n8n/commit/b73a4283cb14e0f27ce19692326f362c7bf3da02https://research.jfrog.com/vulnerabilities/n8n-python-runner-sandbox-escape-jfsa-2026-001651077/https://www.smartkeyss.com/post/cve-2026-0863-python-sandbox-escape-in-n8n-via-exception-formatting-and-implicit-code-executionhttps://research.jfrog.com/vulnerabilities/n8n-python-runner-sandbox-escape-jfsa-2026-001651077/
2026-01-18
Published